Firewall device to automatically select a rule required for each individual web server

ABSTRACT

A firewall device comprises a storage unit that stores therein one or more rules related to blocking a request for each of a plurality of WEB servers independently of the rule for another WEB server; a feature-amount calculating unit that calculates a feature amount for each of the WEB servers based on a number of detections with regard to each index in each of the WEB servers; and a rule updating unit that updates a rule stored in the storage unit for each of the WEB servers based on the feature amount calculated by the feature-amount calculating unit.

BACKGROUND OF THE INVENTION Field of the Invention

The present invention relates to a firewall device, and more particularly relates to a firewall device that prevents an unauthorized access from an external network by managing transmission and reception at an application level.

Description of Related Art

A web application firewall (hereinafter, “WAF”) is a firewall system that prevents an unauthorized access from an external network by managing transmission and reception at an application level. “AWS WAF” ([online], Amazon dot com incorporated, [searched on 23 Oct. 2017], Internet URL:https://aws.amazon.com/jp/waf/) is known as a typical WAF service. In this technique, a front-end server is provided between a WEB server and the Internet, and a WAF server that is configured to be communicable with the front-end server is further provided. Upon reception of a request to the WEB server, the front-end server once transfers the request to the WAF server. The WAF server has a rule for distinguishing a request to be blocked and a request to be permitted from each other (specifically, a signature in which requests to be blocked are listed), and applies this rule to the transferred request to determine whether to block or permit the transferred request. When it is determined that the transferred request is to be blocked, the front-end server discards the request without transferring it to the WEB server. On the other hand, when it is determined that the transferred request is to be permitted, the front-end server transfers it to the WEB server.

Japanese Patent Application Laid-open No. 2015-50717 discloses a computer system using a WAF. The technique described in Japanese Patent Application Laid-open No. 2015-50717 incorporates a firewall including a WAF into a network only when an unauthorized access is detected, thereby reducing the cost of the firewall. However, this technique requires an unauthorized-access detecting device for detecting an unauthorized access separately from the firewall. The unauthorized-access detecting device is configured to detect an unauthorized access by matching an access with a signature registered in advance similarly to the WAF.

In the WAF server described above, a storage area is provided for each WEB server, and a rule is held in the storage area. Therefore, the rule is held for each WEB server. This is because the contents of a request to be blocked or permitted can be different among the WEB servers.

The rule corresponding to each WEB server has to be set in the WAF server by a manager of the WEB server. However, this method has a problem of difficulty in quickly dealing with a new type of attack. To solve this problem, there is conceived a method in which a new rule is automatically and unconditionally added to a server of its own every time the new rule is disclosed by a computer security company. However, in this case, there arises another problem that the size of rules becomes very large and it occupies much of the storage area in the WAF server.

Japanese Patent Application Laid-open No. 2015-50717 also has a similar problem regarding signatures that are registered in an unauthorized-access detecting device in advance.

Therefore, an object of the present invention is to provide a firewall device that automatically selects a rule required for each individual WEB server so as to be capable of quickly dealing with a new type of attack without making the size of rules very large.

SUMMARY

In one embodiment, there is provided a firewall device comprises a storage unit that stores therein one or more rules related to blocking a request for each of a plurality of WEB servers independently of the rule for another WEB server; a feature-amount calculating unit that calculates a feature amount for each of the WEB servers based on a number of detections with regard to each index in each of the WEB servers; and a rule updating unit that updates a rule stored in the storage unit for each of the WEB servers based on the feature amount calculated by the feature-amount calculating unit.

According to the present invention, it is possible to automatically select a rule required for each individual WEB server based on the number of detections with regard to each index in a plurality of WEB servers. Therefore, it is possible to quickly deal with a new type of attack without making the size of rules very large.

BRIEF DESCRIPTION OF THE DRAWINGS

The above features and advantages of the present invention will be more apparent from the following description of certain preferred embodiments taken in conjunction with the accompanying drawings, in which:

FIG. 1A is a diagram illustrating a system configuration of a firewall system 1 according to an embodiment of the present invention;

FIG. 1B is a diagram illustrating another example of the system configuration of the firewall system 1 according to the embodiment of the present invention;

FIG. 2A is a diagram illustrating a hardware configuration of the WAF server 2;

FIG. 2B is a schematic block diagram illustrating functional blocks of the WAF server 2;

FIG. 3 is a process flowchart of a feature-amount calculating process performed by the feature-amount calculating unit 30 shown in FIG. 2B;

FIG. 4 is a process flowchart of a user-similarity calculating process performed by the user-similarity calculating unit 40 shown in FIG. 2B;

FIG. 5 is a process flowchart of a recommendation-score calculating process performed by the recommendation-score calculating unit 41 shown in FIG. 2B;

FIG. 6 is a process flowchart of a grouping process performed by the grouping processing unit 42 shown in FIG. 2B;

FIG. 7 is a diagram illustrating an example of the number of detections that is acquired when the index is a rule;

FIGS. 8A and 8B illustrate a calculation example of a feature amount in a case where the index is a rule;

FIG. 9 is a diagram illustrating a feature-amount matrix created by using a rule as an index;

FIG. 10A is a diagram illustrating rules each co-occurring between two WEB servers 3 whose WEB server ID are host000039 and host000041;

FIG. 10B is a diagram illustrating a Euclidean distance with regard to each rule calculated in the example illustrated in FIG. 10A;

FIG. 10C is a diagram illustrating a total value of Euclidean distances and a user similarity calculated in the example illustrated in FIG. 10A;

FIG. 11A is a diagram illustrating one or more rules that are not registered for a WEB server 3 whose WEB server ID is host000039 but are registered for another WEB server 3;

FIG. 11B is a diagram illustrating a feature amount for each WEB server 3 illustrated in FIG. 11A;

FIG. 11C is a diagram illustrating a recommendation score calculated with regard to each rule ID illustrated in FIG. 11B;

FIGS. 12A and 12B are diagrams illustrating an example of the number of detections acquired in the case where the index is a request type;

FIG. 12C is a diagram illustrating a calculation example of a feature amount in a case where the index is a request type;

FIG. 13 is a diagram illustrating an example of a feature-amount matrix created by using a request type as an index;

FIG. 14 is a diagram illustrating an example of grouping of a plurality of WEB servers 3 by clustering; and

FIG. 15 is a diagram illustrating an output result of DBSCAN.

DETAILED DESCRIPTIONS

Embodiments of the present invention will be described below in detail with reference to the accompanying drawings.

FIG. 1A is a diagram illustrating a system configuration of a firewall system 1 according to an embodiment of the present invention. As illustrated in FIG. 1A, the firewall system 1 includes one WAF server 2 and a plurality of WEB servers 3.

The WEB server 3 is a computer that receives a request from a client (not illustrated) in accordance with a hypertext transfer protocol (HTTP) via the Internet, for example, and provides services corresponding to the contents of the request to the client. For example, in a case where the request is to transfer specific information (GET), when the requested information is a file (for example, an image file, an HTML file, or a text file), the WEB server 3 transfers the contents of the file to the client. When the requested information is an execution result of a program such as, e.g., PHP® or JavaScript®, the WEB server 3 executes the program and transfers information obtained as the execution result to the client. In a case where the request is data processing (POST), the WEB server 3 performs processing in accordance with data transferred from the client (for example, registration of data into a database), and transfers information obtained as the result of the processing to the client. Further, the request may include specifying specific software such as WordPress® or a file included in the software (for example, wordpress, wp-cron, or wp-content). The WEB server 3 having received this type of request executes the corresponding software or file, and transfers information obtained as the result to the client.

The WAF server 2 is a firewall device that prevents an unauthorized access from an external network to the WEB server 3 by managing transmission and reception at an application level. While the WAF server 2 is generally provided in a physically different computer from the WEB server 3, the WAF server 2 can be provided in the same computer as the WEB server 3.

Upon reception of a request from a client, each WEB server 3 once transfers the request to the WAF server 2. The WAF server 2 stores therein a rule for distinguishing a request to be blocked and a request to be permitted from each other (specifically, a signature in which requests to be blocked are listed) for each WEB server 3. The WAF server 2 matches the transferred request with this rule to determine whether to block or permit the request, and returns the determination result to the WEB server 3. When it has been determined that the request is to be blocked, the WEB server 3 discards the request. When it has been determined that the request is to be permitted, the WEB server 3 provides services corresponding to the request to the client.

Further, the WAF server 2 is configured to regularly update the contents of a rule stored for each WEB server 3 by regularly operating respective functional units illustrated in FIG. 2B described later. Although the specific contents of this process are described later, automatic selection of a rule required for each individual WEB server 3 is realized by performing this process.

FIG. 1B is a diagram illustrating another example of the system configuration of the firewall system 1 according to the embodiment of the present invention. The difference between the configuration illustrated in FIG. 1B and the configuration illustrated in FIG. 1A is that a front-end server 4 is provided. The front-end server 4 receives a request from a client in place of the WEB server 3, and once transfers the request to the WAF server 2. Subsequently, when the WAF server 2 has determined that the request is to be blocked, the front-end server 4 discards the request without transferring it to the WEB server 3. When the WAF server 2 has determined that the request is to be permitted, the front-end server 4 transfers the request to the WEB server 3. The present invention can be applied not only to the WAF server 2 in the configuration in FIG. 1A but also to the WAF server 2 in the configuration in FIG. 1B in the same way.

FIG. 2A is a diagram illustrating a hardware configuration of the WAF server 2, and FIG. 2B is a schematic block diagram illustrating functional blocks of the WAF server 2.

As illustrated in FIG. 2A, the WAF server 2 is configured to include a processor 10, an input/output interface 11, and a storage unit 12 that are mutually connected to each other via a bus 13. The processor 10 is a processing device that performs processing in accordance with a program stored in an internal main memory (not illustrated). Each function of the WAF server 2 described later is realized by processing performed by the processor 10. The input/output interface 11 is configured to include input means for receiving input from a user such as a mouse or a keyboard, output means for performing output to the user such as a display or a speaker, and communication means for communicating with other computers including each WEB server 3. The storage unit 12 is an auxiliary storage device such as a hard disk drive. A rule database 20 and a history database 21 that are described later are established in the storage unit 12.

Functionally, the WAF server 2 is configured to include the rule database 20, the history database 21, a feature-amount calculating unit 30, and a rule updating unit 31, as illustrated in FIG. 2B. Further, the rule updating unit 31 is configured to include therein a user-similarity calculating unit 40, a recommendation-score calculating unit 41, and a grouping processing unit 42.

The rule database 20 is a database that stores therein one or more rules related to blocking of a request for each of the WEB servers 3. The rule for each WEB server 3 is stored in the rule database 20 independently of the rule for another WEB server 3. The rule stored in the rule database 20 forms a so-called “black list”. Therefore, the WAF server 2 determines that a request transferred from the WEB server 3 or the front-end server 4 is to be blocked when the request is stored in the rule database 20, and determines that the request is to be permitted when the request is not stored in the rule database 20.

The history database 21 is a database that stores therein a request log (an access log) for each of the WEB servers 3. The access log includes an IP address of a request source, a reception time of the request, a type of HTTP method (GET, POST, and the like), a URI of an accessed file (including a file name and an identifier), information of a device that has transmitted the request (such as an OS or a browser type), and information indicating a processing method of the request (blocking or permitting). The information indicating a processing method includes information indicating a rule used as the basis for blocking or permitting.

The feature-amount calculating unit 30 is a functional unit that calculates a feature amount for each of the WEB servers 3 based on the number of detections with regard to each index in each of the WEB servers 3. The index is, for example, a rule stored in the rule database 20 or a request type stored in the history database 21. The request type includes, for example, an HTTP method (GET, POST, and the like), an access destination process that is determined from a URI of an accessed file (logic, wordpress, wp-cron, wp-content, and the like), and an identifier included in the URI of the accessed file (php, css, js, gif, jpg, png, txt, html, and the like). The request type can be configured by grouping a portion of these items. In the following descriptions, access destination processes “wordpress”, “wp-cron”, and “wp-content” are used as one request type “wordpress”, and identifiers “gif”, “jpg”, and “png” are used as one request type “image”.

FIG. 3 is a process flowchart of a feature-amount calculating process performed by the feature-amount calculating unit 30. As illustrated in FIG. 3, the feature-amount calculating unit 30 first acquires the number of detections with regard to each index for each of the WEB servers 3 (Step S1). The feature-amount calculating unit 30 then calculates a feature amount for each of the WEB servers 3 based on the number of detections with regard to each index in each of the WEB servers 3 (Step S2). In the following descriptions, a case where the index is a rule and a case where the index is a request type are specifically described.

First, the case where the index is a rule is described. FIG. 7 is a diagram illustrating an example of the number of detections that is acquired when the index is a rule. A WEB server ID illustrated in FIG. 7 is information for identifying each individual WEB server 3, and a rule ID is information for identifying each individual rule. In the following descriptions, a WEB server 3 and a rule may be specified only by a description of a WEB server ID and that of a rule ID, respectively. The feature-amount calculating unit 30 reads an access log for each WEB server 3 from the history database 21, and adds up the number of blocked requests included in the access log for each corresponding rule. In this manner, as illustrated in FIG. 7, the feature-amount calculating unit 30 acquires the number of detections with regard to each rule in each WEB server 3.

FIGS. 8A and 8B illustrate a calculation example of a feature amount in a case where the index is a rule. FIG. 8A is a diagram illustrating calculation of a feature amount for host000039, and FIG. 8B is a diagram illustrating calculation of a feature amount for host000041. As illustrated in FIGS. 8A and 8B, the feature-amount calculating unit 30 calculates a ratio of the number of detections of each individual unauthorized access to the total number of detections for each WEB server 3, and further calculates a value obtained by subtracting the calculated ratio from 1 as a feature amount with regard to each rule. These calculations are represented by the following expressions (1) and (2). The feature amount for each WEB server 3 is represented by a set of feature amounts including a feature amount with regard to each rule calculated for the target WEB server 3 and a feature amount with regard to an undetected rule (=0). Ratio=number of detections/total number of detections   (1) Feature amount with regard to rule=1−ratio  (2)

FIG. 9 is a diagram illustrating a feature-amount matrix created by using a rule as an index. The feature-amount calculating unit 30 is configured to hold feature amounts (a set of feature amounts with regard to respective rules) for each WEB server 3 calculated in the manner described above in a matrix as illustrated in FIG. 9.

Next, the case where the index is a request type is described. FIG. 12B is a diagram illustrating an example of the number of detections acquired in the case where the index is a request type. FIG. 12B and FIGS. 12A and 12C described later illustrate data created in accordance with a format of data exchanged between various types of programming languages such as, e.g., JavaScript® Object Notation (JSON). The feature-amount calculating unit 30 reads an access log for each WEB server 3 from the history database 21, and adds up the number of requests included in the access log for each request type. In this manner, as illustrated in FIG. 12B, the feature-amount calculating unit 30 acquires the number of detections for each request type in each WEB server 3.

FIG. 12A illustrates a state before a portion of request types are grouped by the feature-amount calculating unit 30. As is understood from comparison between FIGS. 12A and 12B, a request type “wordpress” in FIG. 12B corresponds to a group of three request types “wordpress”, “wp-cron”, and “wp-content” illustrated with A1 in FIG. 12A. A request type “image” in FIG. 12B corresponds to a group of three request types “gif”, “jpg”, and “png” illustrated with A2 in FIG. 12A. The feature-amount calculating unit 30 assumes a plurality of request types forming a group (for example, the request types “wordpress”, “wp-cron”, and “wp-content”) as the same request type (for example, the request type “wordpress”), and performs the addition described above.

FIG. 12C is a diagram illustrating a calculation example of a feature amount in a case where the index is a request type. As illustrated in FIG. 12C, the feature-amount calculating unit 30 classifies request types into a plurality of classifications B1 and B2 in accordance with the contents thereof, and calculates a ratio of the number of detections of each individual request type to the total number of detections by the above expression (1) as a feature amount with regard to each request type for each WEB server 3 and for each classification. The feature amount for each WEB server 3 is represented by a set of feature amounts including the feature amounts with regard to the respective request types calculated for the WEB server 3 and a feature amount with regard to an undetected request type (=0).

FIG. 13 is a diagram illustrating an example of a feature-amount matrix created by using a request type as an index. The feature-amount calculating unit 30 is configured to hold feature amounts for each WEB server 3 calculated in the manner described above (a set of feature amounts with regard to respective request types) in a matrix as illustrated in FIG. 13.

Referring back to FIG. 2B, the rule updating unit 31 is a functional unit that updates a rule stored in the rule database 20 for each of the WEB servers 3 based on the feature amount calculated by the feature-amount calculating unit 30. Specific processes of the rule updating unit 31 are performed by using the user-similarity calculating unit 40 and the recommendation-score calculating unit 41 for a feature-amount matrix created by using a rule as an index, and are performed by the grouping processing unit 42 for a feature-amount matrix created by using a request type as an index. Each of the processes is described below in detail.

The user-similarity calculating unit 40 is a functional unit that calculates a user similarity indicating a mutual similarity among the WEB servers 3 based on the feature amounts calculated by the feature-amount calculating unit 30.

FIG. 4 is a process flowchart of a user-similarity calculating process performed by the user-similarity calculating unit 40. As illustrated in FIG. 4, the user-similarity calculating unit 40 calculates a user similarity by performing processes at Steps S12 to S16 for all combinations of the WEB servers 3 (Steps S10 and S11).

Specifically, the user-similarity calculating unit 40 first extracts a rule co-occurring for two target WEB servers 3 from a feature-amount matrix (Step S12). Co-occurring described here means that the number of detections is larger than zero in both WEB servers 3.

FIG. 10A is a diagram illustrating rules each co-occurring between host000039 and host000041. In this example, four rules (rule IDs: 31151, 31508, 31515, and 31516) are co-occurring. A numerical value at an intersection of a WEB server ID and a rule ID in FIG. 10A represents a feature amount included in a feature-amount matrix. A portion of these values are also illustrated in FIG. 9.

Referring back to FIG. 4, the user-similarity calculating unit 40 calculates a Euclidean distance with regard to each of the extracted rules (Steps S13 and S14). Specifically, calculation of a Euclidean distance is performed with the following expression (3). Euclidean distance=(feature amount for one WEB server 3−feature amount for the other WEB server)²  (3)

FIG. 10B is a diagram illustrating a Euclidean distance with regard to each rule calculated in the example illustrated in FIG. 10A. As illustrated in FIG. 10B, a Euclidean distance is calculated with regard to each rule.

Referring back to FIG. 4, the user-similarity calculating unit 40 then calculates a total value of the Euclidean distances calculated for the respective rules (Step S15) and calculates a user similarity based on the calculated total value (Step S16). Specifically, calculation at Step S16 is performed with the following expression (4). A user similarity obtained by this calculation indicates that, as the user similarity is larger, a difference between feature amounts is smaller. Therefore, a larger user similarity indicates that situations of attacks are more similar. User similarity=1/(1+total value^(0.5))  (4)

FIG. 10C is a diagram illustrating a total value of Euclidean distances and a user similarity calculated in the example illustrated in FIG. 10A. In FIG. 10C, the total value of Euclidean distances is a value obtained by totaling the Euclidean distances illustrated in FIG. 10B, and the user similarity is a value obtained by substituting the total value of Euclidean distances into the expression (4).

Referring back to FIG. 2B, the recommendation-score calculating unit 41 is a functional unit that calculates a recommendation score for each of the WEB servers 3 with regard to each of one or more rules that are not stored in the rule database 20 for the target WEB server 3 but are stored in the rule database 20 for another WEB server 3. The recommendation score is a weighted average of feature amounts weighted with the user similarities calculated by the user-similarity calculating unit 40.

FIG. 5 is a process flowchart of a recommendation-score calculating process performed by the recommendation-score calculating unit 41. The process illustrated in FIG. 5 is a process performed by the recommendation-score calculating unit 41 for each WEB server 3. As illustrated in FIG. 5, the recommendation-score calculating unit 41 extracts a rule that is not registered (that is, not stored in the rule database 20) for a target WEB server 3 but is registered (that is, stored in the rule database 20) for another WEB server 3 (Step S20). The recommendation-score calculating unit 41 then performs a process at Step S22 for each extracted rule (Step S21).

At Step S22, the recommendation-score calculating unit 41 calculates a weighted average of feature amounts (calculated by the feature-amount calculating unit 30) with user similarities calculated by the user-similarity calculating unit 40, and sets the calculated weighted average as a recommendation score that indicates a degree of recommendation to the target WEB server 3. Specifically, calculation of a recommendation score is performed with the following expression (5). However, a “registration status” is 1 for a WEB server 3 for which the rule is registered, and is 0 for a WEB server 3 for which the rule is not registered. The recommendation score obtained by this calculation has a value indicating that, as the value is larger, a corresponding rule is more frequently used for another WEB server 3 for which a situation of attack is similar. Recommendation score=Σ(feature amount×user similarity)/Σ(registration status×user similarity)   (5)

FIG. 11A is a diagram illustrating one or more rules that are not registered for host000039 but are registered for another WEB server 3. This example illustrates a case where such rules are stored only for two WEB servers 3, host000042 and host000049 for simplicity. As illustrated in FIG. 11A, in this example, five unregistered rules “31103”, “31510”, “31511”, “31533”, and “200002” are registered for host000042, and three unregistered rules “31103”, “31153”, and “31533” are registered for host000049.

FIG. 11B is a diagram illustrating a feature amount for each WEB server 3 illustrated in FIG. 11A. The feature amount illustrated in FIG. 11B is included in the feature-amount matrix illustrated in FIG. 9. However, FIG. 11B only illustrates a portion related to the rules listed in FIG. 11A which is extracted from the feature amounts described in the feature-amount matrix.

FIG. 11C is a diagram illustrating a recommendation score calculated by the above expression (5) with regard to each rule ID illustrated in FIG. 11B. In this manner, the recommendation-score calculating unit 41 calculates a recommendation score with regard to each unregistered rule.

Referring back to FIG. 2B, the rule updating unit 31 updates a rule stored in the rule database 20 for each of the WEB servers 3 based on the recommendation score calculated by the recommendation-score calculating unit 41. In this case, a way of referring to the recommendation score is optional. For example, a rule for which a recommendation score is a predetermined value or more can be added, rules corresponding to recommendation scores within a predetermined number from the largest recommendation score can be added, or a rule for which a deviation value of a recommendation score is a predetermined value or more can be added. As described above, a larger recommendation score means that a corresponding rule is more frequently used in another WEB server 3 for which a situation of attack is similar. Therefore, by updating a rule by this method, it is possible to appropriately select a rule required for each individual WEB server 3.

In the example of FIGS. 11A to 11C, when a rule for which a recommendation score is within three from the largest recommendation score is added, for example, the rule updating unit 31 newly registers three rules corresponding to rule IDs “31153”, “200002”, and “31510” into the rule database 20 for host000039.

Referring back to FIG. 2B, the grouping processing unit 42 is a functional unit that groups the WEB servers 3 based on the feature amounts calculated by the feature-amount calculating unit 30.

FIG. 6 is a process flowchart of a grouping process performed by the grouping processing unit 42. As illustrated in FIG. 6, first, the grouping processing unit 42 performs clustering for a feature-amount matrix (Step S32), and then groups the WEB servers 3 based on the clustering result (Step S33). As a specific clustering algorithm, it is possible to use various algorithms. For example, it is preferable to use DBSCAN (Density-based spatial clustering of applications with noise). By using DBSCAN, it is possible to group the WEB servers 3 based on the closeness between the feature amounts thereof.

FIG. 14 is a diagram illustrating an example of grouping of a plurality of WEB servers 3 by clustering. FIG. 15 is a diagram illustrating an output result of DBSCAN. Groups G0 to G2 illustrated in FIG. 14 respectively correspond to groups G0 to G2 illustrated in FIG. 15. FIG. 15 further illustrates groups G3 to G5.

Black circles in FIG. 15 each represent a WEB server 3. By using clustering in this manner, the WEB servers 3 can be grouped based on the closeness between the feature amounts. Because this feature amount is calculated by using a request type as an index as described above, it can be said that the WEB servers 3 assigned to the same group are similar to each other in a request status.

Referring back to FIG. 2B, the rule updating unit 31 makes a rule stored in the rule database 20 for one or more WEB servers 3 classified in the same group by the grouping processing unit 42 common to one another, thereby updating a rule stored in the rule database 20 for each of the WEB servers 3. It is considered the WEB servers 3 that are similar to each other in a request status are also similar in a required rule. Therefore, update of a rule in accordance with this method enables appropriate selection of a rule required for each individual WEB server 3.

As described above, according to the WAF server 2 of the present embodiment, it is possible to automatically select a rule required for each individual WEB server 3 based on the number of detections with regard to each index in each of the WEB servers 3. Therefore, it is possible to quickly deal with a new type of attack without making the size of rules very large.

Particularly, in a case of using a rule as an index, a recommendation score on which a status of use of each rule in another WEB server 3 that is similar in a situation of attack is reflected is calculated, and a rule is updated based on this recommendation score. Therefore, it is possible to appropriately select a rule required for each individual WEB server 3.

Further, in a case of using a request type as an index, a rule is updated by grouping WEB servers 3 that are similar to each other in a request status by clustering, and making a rule common to one another in a group. Therefore, also in this case, it is possible to appropriately select a rule required for each individual WEB server 3. In addition, a rule can be updated irrespective of an actual situation of attack. Therefore, it is possible to appropriately update a rule for a WEB server 3 that is not attacked very often.

While a preferred embodiment of the present invention has been described above, the present invention is not limited in any way to the embodiment described above, and it is needless to mention that the present invention can be implemented with variously modified embodiments without departing from the scope of the invention.

For example, the WAF server 2 can store the WEB servers 3 that have been already grouped, and can perform the processes described above within a group only. In this case, it is possible to prevent a rule-update status from spreading beyond the framework of a company or an organization.

Further, although FIG. 2A illustrates an example in which the WAF server 2 is configured by a single computer, the WAF server 2 can be configured by a set of a plurality of computers. This also applies to the WEB servers 3 and the front-end server 4. 

What is claimed is:
 1. A method of operating a firewall device, the method comprising: storing one or more rules related to blocking a request for each server of a plurality of WEB servers independently of a rule for another WEB server, each server of the plurality of WEB servers having a respective index; calculating a feature amount for each server of the plurality of WEB servers based on a cumulative number of detections with regard to each index for each server of the plurality of WEB servers; and updating a rule stored based on the feature amount calculated by the calculating of the feature amount for each server of the plurality of WEB servers, the updating comprising: calculating a user similarity indicating a mutual similarity between the WEB servers based on the feature amounts calculated by the calculating of the feature amount; calculating, for each WEB server, a recommendation score with regard to each rule of the one or more rules that are not stored for a corresponding WEB server but are stored for another WEB server, the recommendation score being a weighted average of the feature amounts weighted with the user similarities calculated by the calculating of the user similarity; and updating the rule stored for each of the WEB servers based on the recommendation score calculated by the calculating of the recommendation score.
 2. A firewall device comprising: a storage that stores therein one or more rules related to blocking a request for each server of a plurality of WEB servers independently of a rule for another WEB server, each server of the plurality of WEB servers having a respective index; and a processor and a memory that stores an instruction, wherein upon execution of the instruction, the processor operates as: a feature-amount calculator that calculates a feature amount for each server of the plurality of WEB servers based on a number of detections with regard to each index for each server of the plurality of WEB servers; and a rule updater that updates a rule stored in the storage based on the feature amount calculated by the feature-amount calculator for each server of the plurality of WEB servers, wherein the rule updater includes: a user-similarity calculator that calculates a user similarity indicating a mutual similarity between the WEB servers based on the feature amounts calculated by the feature-amount calculator; and a recommendation-score calculator that calculates, for each WEB server, a recommendation score with regard to each rule of the one or more rules that are not stored in the storage for a corresponding WEB server but are stored in the storage for another WEB server, the recommendation score being a weighted average of the feature amounts weighted with the user similarities calculated by the user-similarity calculator, and the rule updater updates the rule stored in the storage for each of the WEB servers based on the recommendation score calculated by the recommendation-score calculator.
 3. The firewall device as claimed in claim 2, wherein the index is a type of the request.
 4. The firewall device as claimed in claim 3, wherein the rule updater includes a grouping processor that groups one or more WEB servers of the plurality of WEB servers to form a WEB server group based on the feature amounts calculated by the feature-amount calculator, and the rule updater updates the rule stored in the storage for each WEB server of the WEB server group by making a rule stored in the storage for one or more WEB servers classified into the WEB server group by the grouping processor, common to every WEB server in the WEB server group.
 5. The firewall device as claimed in claim 2, wherein the plurality of WEB servers includes a target WEB server, and the rule updater adds one or more rules that are not stored in the storage for the target WEB server but are stored in the storage for another WEB server as one or more rules for the target WEB server to the storage.
 6. The firewall device as claimed in claim 2, wherein the index is the rule. 